INDUSTRY INSIGHT
BY CHASE CUNNINGHAM
5 principles to ensure the Cybersecurity National Action Plan’s success
THE OBAMA ADMINIS- TRATION’S Cybersecurity National Action Plan calls for an increase in fed-
eral funding and a litany of policy changes and infor- mation-sharing initiatives. CNAP is a much-needed top- down commitment to enact change, and though money alone will not win the cyber battle, it certainly helps remove any barriers — technical or otherwise — for developing and implement- ing a sound cybersecurity strategy.
There are, however, some important considerations as we move forward.
1. Keeping up with technology. Technological discoveries are unfolding with exponential velocity. Acknowledging the speed of innovation is critical as the public and private sectors collaborate to defend the country against foreign and domestic cyberthreats. No matter how well intended, policies will never mature fast enough to manage or corral innovation or the potential for threats that accompanies new systems. Only technology, combined with innovation, can keep pace with technology.
2. In with the new. One of the major components of CNAP is the allocation of $3.1 billion for the IT Mod- ernization Fund, which will be used to retire the legacy
technology that is rife with vulnerabilities and too ex- pensive to operate securely in today’s threat landscape. However, before the old tech is retired, the new infrastructure, applications and systems must be tested, integrated, secured, mea- sured and deployed. Simply tossing fixes together in a haphazard manner will not work.
tion system too easily links to personally identifiable information that is highly valuable to threat actors.
With a few exceptions, everyone possesses a variety of biometrics assets (e.g., fingerprints, retinas) that are better identifiers of who they are than a number ever could be. Switching to biometric identifiers would help solve a variety of social
our collective cyber posture. More agencies, departments and commissions will only dramatically slow what should be an agile and ac- tive cyber defense system. 5. Less money, more thinking. Cyber defense doesn’t need to be a money pit. There are thousands
of talented cybersecurity professionals, researchers and innovators in the public
Top officials must make it worthwhile for small tech companies and expert security teams to innovate.
Strong multifactor authentication will likely
be the first step in this modernization process. The approach requires a combi- nation of biometrics, secure protocols and cloud technol- ogy. Using a weak second factor — such as a four-digit PIN or an out-of-band SMS text — will result in failure. Next, natural-language pro- cessing and machine-learn- ing techniques, combined with targeted innovation around data classification, should be adopted.
3. Biometrics, not num- bers. The White House was smart to advocate phasing out the use of Social Secu- rity numbers for identifying or authenticating citizens. That archaic identifica-
and criminal issues — from fraud to illegal immigra- tion — and the technology already exists and is proven. 4. No new agencies. Although CNAP asks for the establishment of additional agencies and commissions, there’s little need to spend another billion dollars setting up a handful of new organi- zations to oversee cyberse- curity; the National Security Agency and the National Institute of Standards and Technology already do that.
It would be more effective and efficient for the federal government to collaborate with NSA and NIST to formalize reviews of new, deployable technologies that address the technical issues that are hindering
and private sectors who love difficult challenges. Many would jump at the chance
to have an impact on a national level.
We can encourage that mass-scale commitment
by enabling the exchange
of ideas and funding the results. Top officials must make it worthwhile for small tech companies and expert security teams to in- novate. The tech visionaries could stop hunting for fund- ing from venture capitalists and instead gain invest- ments from the government to design and build security solutions that will benefit the greater good. •
— Chase Cunningham is director of cyberthreat research at Armor.
GCN MARCH/APRIL 2016 • GCN.COM 29